NSA Apparently Purchasing Software Exploits From French Security Firm

from the and-everyone's-a-little-less-safe-now dept

The long history of US intelligence agencies' access to software exploits is well-documented. In the interest of "safety," the US government has undermined the safety of millions of users by gathering up exploits and utilizing them for as long as possible before patches and updates close the security holes. Some it acquires directly from companies that report holes in their systems directly to the NSA and other agencies. Others it buys from contractors that specialize in probing software for usable exploits.

Heather Akers-Healy, using Muckrock's FOIA service, recently obtained a document from the NSA (via a FOIA request) detailing its purchase of exploits from Vupen, a French security company specializing in sellable exploits. Unfortunately, the details in this "detailing" are incredibly sparse. Most of what might be interesting is redacted and a majority of the document is standard contractual clauses.

If there's anything of interest here (beyond the purchase of exploits), it's the fact that the transaction takes place on a nondescript form which can be used to handle a variety of products. Due to the standardized wording, it almost appears as though the NSA has the option to purchase exploits by the truckload -- and that said exploits can only be delivered during the normal receiving hours of 7:30 am - 2:30 pm.

That being said, the purchase of exploits is something the NSA has been pretty open about (comparatively). Vupen, or at least its founder and CEO Chaouki Bekrar (who refers to himself as the "Darth Vader of Cybersecurity"), seems rather open about the exploit market itself. As Muckrock points out, Bekrar suggested other FOIA request topics when confronted with this document.

The "Binary Analysis and Exploits" subscription (pre-paid, yearly) that the NSA purchased is described on Vupen's site as more of a defensive product, but it's highly unlikely intelligence the agency viewed it the same way.

With 15 to 20 binary analysis and private 1-day exploits/PoCs released by VUPEN each month, the VUPEN Binary Analysis and Exploits service allows gov organizations to quickly and easily evaluate risks related the most recent vulnerabilities, and protect national infrastructures against critical vulnerabilities before they are exploited in the wild.

While the NSA's document may lack a lot of details, a brochure obtained by Wikileaks shows what's available in Vupen's offensive package. This service targets law enforcement agencies (LEAs) as well as government agencies. LEAs could certainly be considered a "growth market," especially since so many are "rebranding" themselves as entities lying somewhere between a military force and an unofficial FBI field office.

What this program does is turn your subscription fee into credits and allow you (the LEA/government) to buy exploits with these credits (based on how valuable Vupen feels they are). It's like a Wii store for vulnerabilities. The ultimate aim?

VUPEN Exploits for Law Enforcement Agencies aim to deliver exclusive exploit codes for undisclosed vulnerabilities discovered in-house by VUPEN security researchers. This is a reliable and secure approach to help LEAs and investigators in covertly attacking and gaining access to remote computer systems.

Now, Vupen states on its site and in its brochures that it will only sell to "trusted countries and government agencies." Even if that is entirely true, the underlying issue doesn't go away. Instead of identifying holes and working with software companies to get them patched (or at least informing the general public), it's selling these off to various intelligence/law enforcement agencies.

If Vupen can find these exploitable holes, so can other untrustworthy actors, whether they're governments that don't quite make the "trusted" list or simply individuals looking to profit on the misery of others. Vupen can't corner this market. A security hole is a security hole and no one owns it or can prevent others from exploiting it (other than by closing the hole). What it's selling isn't necessarily scarce and what it's doing is allowing the public (including paying customers) to assume the risk while it profits.

Re: Equal justice for all under the law

VUPEN

VUPEN is one of these criminal companies that sells our security and privacy to doubtful government agencies for big money. It means, that there is no ethics in such company, how can you know if this exploit code you sold to the NSA will not be used to mass snooping on your fellow citizens ?
Since when you should trust your government ? History has clearly show that we should not.
I don't think Mr Bekrar do this for any national security purposes, he just want to play safe with the most powerful government. Also his behavior at pointing other companies which sells more exploit packs than VUPEN shows lot about him.

Purchasing ANY security-related software/services from a foreign vendor should be prohibited.

What the FUCKING HELL are those morons thinking/smoking???

If they're good enough to know there are no back-doors installed, they're good enough to write it in-house.

I cannot believe the level of Stupid I'm seeing from Congress, The White house, and the so-called Security Services. I feel like I slowly transitioned to a "Bizarro" America, that no longer recognises reality.